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Objective 


• This research focuses on testing whether or not the hazardous conditions identified 
by design-level fault tree analysis will occur in the target implementation. 

Part 1 : Integrate fault tree models into functional specifications so as to identify testable 
interactions between intended behaviors and hazardous conditions. 

Part 2: Develop a test generator that produces not only functional tests but also safety 
tests for a target implementation in a cost-effective way 

Part 3: Develop a testing environment for executing generated functional and safety tests 
and evaluating test results against expected behaviors or hazardous conditions. It includes 
a test harness as well as an environment simulation of external events and conditions. 
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Current Work 




• Goal 

- Integration of results from hazard analysis in fault trees with functional specifications in 
UML behavior state machines 

• Challenges 

- Identify testable interactions between intended behaviors and hazardous conditions 

- Resolve the mismatch between fault tree models and functional specifications 

□ Some events or unsafe states in a fault tree model may not be found or may have 
no relevant parts in the corresponding functional specifications 
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UML Behavioral State Machines 


• A UML behavioral state machine can be used to specify the sequences of states an 
object goes through during its lifetime in response to events, together with its 
responses to those events. 

• The behavioral state machine formalism described in UML is an object-based 
variant of Harel statecharts 
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Fault Tree Analysis (FTA) 

• Useful for reliability and safety analysis 

First used by Bell Telephone Laboratories in connection with the safety analysis of the 
Minuteman missile launch control system in 1962 

• A top-down approach starting with an undesirable event called a top event and 
then determining all the ways it can happen 

- Identify all the top events to be analyzed 

- Identify the events that directly contribute to the top level vent 

- Continue this process until the lowest level defined or basic level is reached 

• Important because if there is a critical failure mode, then all possible ways that 
mode could occur must be discovered 
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Fault Tree (FT) 


• A fault tree is a graphical model of various parallel and sequential combinations of 
faults that will result in the occurrence of the predefined undesired event 

The undesired event constitutes the top event in a fault tree constructed for the system, 
and generally consists of a complete, or catastrophic failure 

The faults can be events that are associated with component hardware failures, human 
errors, or any other pertinent events which can lead to the top event 

• A fault tree is composed of a number of “event” symbols and “gate” symbols 

An event symbol serves to represent an initiating fault event, an event that is normally 
expected to occur, a condition or restriction, or a fault event which occurs because of one 
or more antecedent causes acting through logic gates 

A gate serves to permit or inhibit the passage of fault logic up the tree, and shows the 
relationships of events needed for the occurrence of a higher event 

□ The higher event is the output of the gate 

□ The lower events are the inputs to the gate 
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Events of Fault Tree 


• Primary Event 

- Basic event: An event does not require any further development in order to initiate a fault 

□ Fault tree symbol: O 

Conditioning event: An event describes specific conditions or restrictions that apply to any logic gate 

□ Fault tree symbol: <CC 

□ Used primarily with PRIORITY AND and INHIBIT gates 

Undeveloped event: An event which is not further developed because it is of insufficient consequence 
or because information is not available 

□ Fault tree symbol: <0> 

- External event: An event which is normally expected to occur 

□ Fault tree symbol: Cl 

• Intermediate Event 

- An event that occurs because of one or more antecedent causes acting through logic gates 

□ Fault tree symbol: UC 
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Gates of Fault Tree 


• AND-Gate 

- Output fault occurs if all of the input faults occur 

- Fault tree symbol: O 

• OR-Gate 

- Output fault occurs if at least one of the input faults occurs 

- Fault tree symbol: A 

• EXCLUSIVE OR-Gate 

- Output fault occurs if exactly one of the input faults occurs 

- Fault tree symbol: A 

• PRIORITY AND-Gate 

Output fault occurs if all of the input faults occur in a specific sequence (the sequence is represented 
by a CONDITIONING EVENT drawn to the right of the gate) 

- Fault tree symbol: O 

• INHIBIT-Gate 

Output fault occurs if the (single) input fault occurs in the presence of an enabling condition (the 
enabling condition is represented by a CONDITIONING EVENT drawn to the right of the gate) 

- Fault tree symbol: O 
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Examples of Gates (1) 


• AND-Gate relationship with dependency explicitly shown 


Q occurs 


A 







A occurs 


B occurs given 
the occurrence 
of A 


B occurs 


A occurs given 
the occurrence 
of B 




• Inhibit-Gate: event Q occurs only if input A occurs under the condition specified by input B 



(conditional input B) 


Existence of 
low 

temperature T 


(input A) 
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Examples of Gates (2) 


• The INHIBIT-Gate is a special case of the AND-Gate. The output is caused by a single input, but some 
qualifying condition must be satisfied before the input can produce the output 

• The EXCLUSIVE OR-Gate is a special case of the OR-Gate in which the output event occurs only if 
exactly one of the input events occurs 



• The PRIORITY AND-Gate is a special case of the AND-Gate in which the output event occurs if all input 
events occur in a specified ordered sequence 


a 
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Construction of Fault Tree 


• A fault tree can be constructed based on the Failure Modes and Effects Analysis 
(FMEA) and system block diagrams 

• Rules of thumb 

No Miracles Rule: If the normal functioning of a component propagates a fault sequence, 
then it is assumed that the component functions normally. 

- Complete-the-Gate Rule: All inputs to a particular gate should be completely defined 
before further analysis of any of them is undertaken. 

No Gate-to-Gate Rule: Gate inputs should be properly defined fault events, and the gates 
should not be directly connected to other gates. 
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Boolean Algebra & Fault Tree Analysis 


• The OR-Gate is equivalent to the Boolean symbol “+” 

• The AND-Gate is equivalent to the Boolean symbol 

• Rules of Boolean Algebra 



Mathematical Symbolism 

Engineering Symbolism 

Designation 

(la) 

xnY=Ynx 

X Y = Y X 

Commutative Law 

(lb) 

XUY=YUX 

X + Y = Y + X 

(2a) 

xn(Ynz)=(xnY)nz 

X • (Y • Z) = (X • Y) • Z 
X(YZ) = (XY)Z 

Associative Law 

(2b) 

XU(YUZ) = (XUY)UZ 

X + (Y + Z) = (X + Y) + Z 

(3a) 

xn(Yiiz)=(xnY)U(xnz) 

X • (Y + Z) = (X • Y) + (X • Z) 
X(Y + Z) = XY + XZ 

Distributive Law 

(3b) 

XU(Ynz) = (XUY)D(XUZ) 

X + Y • Z = (X + Y) • (X + Z) 

(4a) 

xnx=x 

X x = x 

Idempotent Law 

(4b) 

xux = x 

x+x = x 

(5a) 

xn(XUY) = X 

X • (X + Y) = X 

Law of Absorption 

(5b) 

XU(XnY) = X 

X + X Y = X 

(6a) 

xnx'=^ 

X-X' = <p 

Complementation 

(6b) 

XUX' = Q = I* 

X + X' = Cl = 1 

(6c) 

(XT = x 

(XT = x 

(7a) 

(XnY)’ = X'UY’ 

(X-Y)' = X' + Y' 

de Morgan’s Theorem 

(7b) 

(XUY)' = X'nY' 

(X + Y)' = X'- Y' 

(8a) 

x=«> 

</>-X = </> 

Operations with (p and Q 

(8b) 

^Ux = x 

<p + X = X 

(8c) 

anx = x 

CIX = X 

(8d) 

QUx = o 

Cl + X = Cl 

(Be) 

tp' -Cl 

<p' = Cl 

(8f) 

Cl' = (/> 

Cl' = (/> 

(9a) 

XU(X r flY) = XUY 

X + X' Y = X + Y 

These relationships are 
unnamed but are frequently 
useful in the reduction process. 

(9b) 

X'n(XUY') = X'nY' = (XUY)' 

X' • (X + Y') = X' • Y' = (X + Y)' 

* The symbol I is often used instead ofQ to designate the Universal Set. In engineering notation Q is 
often replaced by 1 and^ by 0. 
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Examples of Fault Trees 

• Fault tree structure for D=A • (B+C) 



• An equivalent fault tree for D=A • (B+C) 
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Minimal Cut Set (1) 

• A cut set in a fault tree is a set of basic events whose simultaneous occurrence 
ensures that the top event occurs. 

• A cut set is said to be minimal if the set cannot be reduced without losing its status 
as a cut set. 

The combination is “smallest” in that all the events are needed for the top event to occur. 
If one of the events in the cut set does not occur, then the top event will not occur (by this 
combination). 

• A fault tree may consist of a finite number of minimal cut sets , which are unique 
for that top event. 
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Minimal Cut Set (2) 

• The one-event minimal cut sets represent those single events which will cause the 
top event to occur 

• The two-eve nt minimal cut sets represent those pairs of events which together will 
cause the top event to occur 

• Similarly, for an w-event minimal cut set, all n events in the cut set must occur in 
order for the top event to occur 

• The minimal cut set for the top-event can be written in the following general form 

- TOP= Mi + 1- where “It*? is the top event and (1 < i < m) is a minimal cut 

set 

- ^ = X l • X 2 • — • X n where X k (1 < k < n) is a basic event in the fault tree 
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Examples of Minimal Cut Sets 


The top event can be expressed as 
a Boolean function of the basic events 

Ej = T + E 2 
= T + (K 2 + E 3 ) 

= T + K 2 + (SE 4 ) 

= T + K 2 + (S • (Sj + E 5 )) 

= T + K 2 + (S • Sj) + (S • E 5 ) 

= T + K 2 + (S • Sj) + S • (Kj + R) 

= T + K 2 + (S • Sj) + S • Kj + S • R 

The above expression of the top event 
in terms of the basic events to the tree 
can be viewed as a Boolean algebraic 
equivalent of the tree itself. 

In this example, we have five minimal 
cut sets — two singles and three doubles 

- k 2 

- T 

- S-Sj 
S Kj 
SR 


Intermediate Event 


Intermediate 

Event 



Intermediate Event 


Intermediate 

Event 


Basic Event 
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Construction of Minimal Cut Set 

• The tree is first translated to its equivalent Boolean equations and then either the 
“top-down” or “bottom-up” substitution method is used. 

Both methods involve substituting and expanding Boolean expressions. 

Two Boolean laws, the distributive law and the law of absorption, are used to remove the 
redundancies. 

[Reference 31 

• Tools are available for computing the minimal cut sets of a fault tree 
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Minimal Cut Set Transition 


• The occurrence of basic events in a minimal cut set M will lead to the occurrence 
of an undesired event and finally cause a transition from a normal state to a fault 
state. We define such a transition as a minimal cut set transition. 

• Given a fault tree (Tand a minimal cut set we can obtain a subtree, whose root 
is the top event of the fault tree, and whose leaves are the basic events in M and 
some other primary events (e.g., external events) that cause the top event. 

The subtree contains 

□ all the basic events in 9/L (the given minimal cut set) 

□ all the other necessary “occurring” primary events (undeveloped, external, and conditioning 
events) 

□ all the necessary “occurring” intermediate events 

□ the top event 


• A subtree therefore describes a minimal cut set transition in the behavioral state 
machine 
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Research Issues 


• How to simplify a fault tree by deleting all the infeasible and non-causal events 
and gates? 

A fault tree may be constructed independently from the construction of the UML 
behavior state machine for the target system. Some constraints, which are defined 
implicitly or explicitly on the system or on the machine, may affect the occurrence of the 
primary and/or non-primary events in the fault tree. How to use these constraints to 
simplify the fault tree in order to reduce the complexity of the machine after 
combination? 

- Proposed Solution 

• Given a minimal cut set of a fault tree, how to construct a corresponding subtree 
which covers all necessary events leading to the top event? 

- Proposed Solution 


• How to transform a subtree to a minimal cut set transition? 

- Proposed Solution 

• How to add the minimal cut set transitions to a UML behavior state machine? 

- Proposed Solution 


SAS_07_Testing_for_Software_Safety_Chen_Lee_Wong_Xu 


19 


Research Issue 


■ 


Simplify a fault tree by deleting all the infeasible 
and non-causal events and gates 


Back to Research Issues 
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Infeasible Minimal Cut Set (Transition) 

• Theoretically, we can transform the subtrees for the minimal cut sets to minimal 
cut set transitions, and then extend the UML behavior state machine to describe the 
possibilities of the occurrence of undesired events by adding all minimal cut set 
transitions to the machine. 

• A minimal cut set transition can be infeasible because of the restrictions on a 
specific system. These restrictions are implicitly or explicitly defined, which make 
the transition impossible to traverse. We call such a transition an “infeasible” 
minimal cut set transition, and the corresponding minimal cut set is an “infeasible” 
minimal cut set. 

On the contrary, we have “feasible” minimal cut sets and “feasible” minimal cut set 
transitions. 


• Identification of “infeasible” minimal cut sets beforehand can 

reduce the complexity of the UML behavior state machine after combination 

help the derivation of traversable test sequences and generation of effective test cases 
from the combined machine 
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Bottom-Up Path 


We define a bottom-up path p = <x v x 2 , . . x> 
from x x to x n , where x i (l <i< n ) is an event or 
a gate in the fault tree 

The path needs to satisfy the following: 

The adjacent events/gates on the path are 
connected by a line in the fault tree 

- If x f is a gate, x iA is an input event of x t 
or a conditioning event applied to x i9 
and x /+1 is the output event of x t 

- If x t is an event, x i+l can be the successive 
event of x t or a gate receiving x i as its input 



• A bottom-up path gives the order of 
the occurrence of the events 
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Identification of Infeasible Events & Gates (1) 

• A primary/non-primary event with unrealistic constraints is infeasible 

Example: an event “a sportsman jumps for a distance of ten meters” can be regarded as 
an infeasible event because a human being cannot jump that far 

• A conditioning event is infeasible if the condition specified in the event can never 
be reached or the probability specified in the event is 0 

• A gate is infeasible if it cannot be passed through based on the combinations of all 
its input events 

- Example: an AND-Gate I = E 1 • E 2 but events E, and E 2 cannot occur simultaneously 
because they contradict each other 

- Example: an OR-Gate I = E x + E 2 but neither Ej nor E 2 can occur 
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Identification of Infeasible Events & Gates (2) 


• If any of the input events of an AND-Gate is infeasible, then the AND-gate is 
infeasible 

• If all the input events of an OR-Gate are infeasible, then the OR-Gate is infeasible 

• A gate is infeasible if its conditioning event is infeasible 

• The output event of an infeasible gate is infeasible 

• The successive event of an infeasible event is infeasible 
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Identification of Non-Causal Events & Gates 




A non-causal event/gate does not contribute to the occurrence of the top event 

The Boolean equations for the following tree are TO<P= Ip I 2 ; Ij = Ej • I 3 ; I 2 = E 2 • I 4 ; I 3 = E 2 • E 3 • E 4 ; 
I 4 =[CJ (E 6 • E 7 • E 8 ). Suppose the conditioning event C, is infeasible (cannot occur), the 
corresponding AND-gate is infeasible which makes the intermediate event I 4 infeasible. Although the 
top event can still occur if Ej and E 5 occur. Basic events E 6 , E 7 , and E 8 have no impact on the 
occurrence of the top event. They are defined as “non-causal” events. 


5 


cS 


X 


o I=:i 

W- 


QG', 


o 


o o o o o 


E 6 ? e 7 , 


is an infeasible conditioning event 


and E 8 are non-causal events 


- If there does not exist a bottom-up path from an event E (or a gate G) to the top event, on 
which all the events/gates are feasible, then E (or G) is a non-causal event (or gate) for 
the top event. 
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Simplification of a Fault Tree 

• A fault tree can be simplified by removing all the infeasible and non-causal events 
and gates 

In the following tree, events E 3 , 1 4 , and Cj are infeasible and events E 6 , E 7 , and E 8 are non-causal 



• X: the event/gate is infeasible according to 
some constraints on the system 

•X: the event/gate is infeasible according to 
some deduction rules 

•X: the event/gate is a non-causal event/gate. 


• If the top event is infeasible, the fault tree can be excluded from further 
consideration. 


Back to Research Issues 
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Research Issue 2 


■ 


Construct a subtree based on a given minimal cut set 


Back to Research Issues 
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Construction of a Subtree for a Given Minimal Cut Set (1) 

• A subtree for a minimal cut set M can be obtained by simulating the occurrence 
of all the basic events in M 

Step 0: Assuming each event in a simplified fault tree can be classified as “occurring” 
or “non-occurring”, and each gate can be classified as “passed through” or 
“not-passed through” 

Step 1 : Initially, mark all the events in the fault tree as “non-occurring” and all the 
gates as “not-passed through” 

- Step 2: Mark a “non-occurring” basic event as “occurring” if it belongs to M 
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Construction of a Subtree for a Given Minimal Cut Set (2) 


Step 3: Repeat steps 3.1 to 3.4 until no events in the fault tree can be marked as 
“occurring” and no gates can be marked as “passed through” 

□ Step 3.1 : Mark an external/undeveloped event E as “occurring” if E is an input of an 

AND-Gate G and all other basic events and intermediate events received by G are “occurring’ 


QoOOt 

v w ) 

Y 

occurring events 


□ Step 3.2: Mark the conditioning event C applied to a gate G as “occurring” if the “occurring’ 
input events can satisfy the conditions indicated in C 



□ 

-o 







V. 


Y 

occurring events 


J 
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Construction of a Subtree for a Given Minimal Cut Set (3) 


□ Step 3.3: Mark a non-primary event E as “occurring” if E is the output of a “passed through” gate 

G or E is the successive event of an “occurring” event 

□ Step 3.4: Mark a “not-passed through” gate G as “passed through” if 

> G is an OR-Gate, and at least one of its input events is “occurring”, and the applied conditioning event, if it 
exists, is also “occurring” 

> G is an AND-Gate, and all of its input events are “occurring”, and the applied conditioning event, if it exists, 
is also “occurring” 


Step 4: Identify additional non-causal events and gates with respect to the given 

minimal cut set which are not removed during the simplification of the fault 
tree (as discussed earlier) 
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Construction of a Subtree for a Given Minimal Cut Set (4) 


□ Change an “occurring” event to “non-causal” and a “passed through” gate to “non-causal” if there 
does not exist a bottom-up path from the event/gate to the top event, on which all events are 
marked as “occurring” and all gates are marked as “passed through” 



Let the minimal cut set ‘M = {E 1? E 2 } 

When basic events Ej and E 2 occur, 
intermediate events I, and I 3 will occur. 

Since basic event E 3 is not in M, 

it will not be included in the subtree for !M. 

That is, E 3 is regarded as “infeasible” with respect 
to this subtree. 

As a result, I 2 cannot occur which makes Ej and 
E 2 in the right part of the tree as “non-causal”. 

It is better to represent such Ej and E 2 as the 
mirror blocks of the E , and E 2 in the left part of 
the fault tree. Note that an event may appear 
multiple times at different places in a fault tree 
and affect different parts of the tree. [Reference 11 


Step 5: Remove all “non-occurring”/“non-causal” events and all “not-passed through”/ 
“non-causal” gates from the fault tree 
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Characteristics of the Subtree 


• The subtree constructed at step 5 contains 

all the basic events in ZM (the given minimal cut set) 

all the other necessary “occurring” primary events (undeveloped, external, and conditioning events) 

- all the necessary “occurring” intermediate events 

- the top event 


Subtree-events (ZM) = ZM u (other necessary “occurring” primary events} u 

(necessary “occurring” intermediate events} u (top event} 


- The subtree for a given ZM. does not contain any basic events that are not in ZM 
- The top event of a fault tree must be included in the subtree 
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Examples of Two Subtrees 


• The equivalent Boolean equations for the 
fault tree to the right is 
TOP = I, + I 2 

h = E 1 * E 2 

h = E 3 # E 4 


• Let minimal cut set = {E 1? E 2 } 

- Subtree-events = fWjUjlj} u{TOP} 

The equivalent Boolean equations for subtree 1 

□ T = Ij 

□ l t — Ej • E 2 


• Let minimal cut set M 2 = {E 3 , E 4 } 

Subtree-events (M 2 ) = 5W 2 u{I 2 } u{TOP} 

The equivalent Boolean equations for subtree 2 

□ t = i 2 

□ I 2 = E 3 • E 4 


Subtree for the minimal cut set 




Back to Research Issues 
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Research Issue 3 


■ 


Transform a subtree to a minimal cut set transition 


Back to Research Issues 
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Run-to-Completion Assumption 

• The semantics of event occurrence processing in UML is based on the run-to- 
completion assumption, interpreted as run-to-completion processing. 

- Run-to-completion processing means that an event occurrence can only be taken from the 
event pool and dispatched if the processing of the previous occurrence is fully completed. 
[Reference 21 

• Assume that the event occurrence processing in a fault tree is also based on the 
run-to-completion assumption. 
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A Primary Event in a UML Behavior State Machine (1) 


• A primary event of a fault tree can be transformed to a trigger or a guard 
condition for a transition in a UML behavioral state machine. 

The occurrence of a basic/undeveloped/external event in a fault tree is semantically 
equivalent to triggering a transition in a UML behavior state machine 


invoke E 



Event E may be prevented from occurring or its effect can be eliminated 
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A Primary Event in a UML Behavior State Machine (2) 


A conditioning event can be transformed to a transition guard 

□ Example: 

> Fault Tree: T < TCRITICAL 

> UML behavior state machine: [T < T CRITICAL] 
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An Intermediate Event in a UML Behavior State Machine (1) 


• An intermediate event of a fault tree can be transformed to an action in a UML 
behavior state machine 



• Event E may be prevented from occurring or its effect can be eliminated 
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An Intermediate Event in a UML Behavior State Machine (2) 


• Example: I = • I 2 
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An Intermediate Event in a UML Behavior State Machine (3) 


• Example 2: 1 = Ij + 1 2 
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An Intermediate Event in a UML Behavior State Machine (4) 


• Example 3: 1 = [C] l x /* if occurs under the condition C) {I occurs} */ 
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An Intermediate Event in a UML Behavior State Machine (5) 


• Example 4: 1 = [C] (Ij • I 2 ) /* if and I 2 occur under the condition C) {I occurs} */ 
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An Intermediate Event in a UML Behavior State Machine (6) 


• Example 5: I = [C] (Ij + I 2 ) /* if (Ij or I 2 occur under the condition C) {I occurs} */ 
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Minimal Cut Set Transition: Example 1 


A subtree for a given minimal cut set M can be transformed to a minimal cut set transition 
The Boolean equations for the following subtree are I = Ij • I 2 ; = E t • E 2 ; I 2 = E 3 • E 4 
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Minimal Cut Set Transition: Example 1 (cont’d) 
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Minimal Cut Set Transition: Example 2 


• The Boolean equations for the following subtree are I = • I 2 ; I L = E l • E 2 ; I 2 = E 1 • E 3 



Event Ej appears twice - once in Region 1 and once in Region 3 


Back to Research Issues 
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Research Issue 4 


■ 


Add minimal cut set transitions to 
a UML behavior state machine 


Back to Research Issues 
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Combination of UML Machines & Fault Trees (1) 

• Suppose a system has one undesired failure represented by the top event of a corresponding fault 
tree 

• Suppose the top event c TO<3 > = + M 2 -4 f M k where (1 < / < k) is a minimal cut set for the top 

event and S t is the corresponding subtree (as discussed before) for M i 

• We combine the original UML behavioral state machine and the fault tree by adding fault regions to 
the original machine, each of which contains a minimal cut set transition to a fault state 
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Combination of UML Machines & Fault Trees (2) 


• All regions work in parallel. If any of the undesired regions reaches the fault state 
before the system terminates normally, then the system is not safe. 

• If the system keeps running (i.e., never stops), then the system is not safe if the 
fault state can be reached from any of the fault regions. 

• The same approach applies to a system with multiple undesired failures 
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A Gas Burner System (1) 


• It consists of the following 

- an on/off valve to feed air 

- an on/off valve to feed fuel 

- a flame igniter 

- a flame detector 

- a controller 

• The objectives of the control system for the burner are to 

- start it up 

- maintain it with an ignited flame 
shut it down when requested 

deal with abnormal and emergency conditions that may arise during operation 
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A Gas Burner System (2) 


Original UML behavioral state machine 
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A Gas Burner System (3) 


• Boolean equations for the fault tree 
TOP = Ii + E 5 ; Ij = Ej • I 2 • E 4 ; I 2 = E 2 • E 3 


• Minimal cut set 9vL x ={E 5 } 

- Events in subtree S x = {TOP} 
Boolean equations for S x : T=E 5 


• Minimal cut set 5W 2 ={E 2 , E 3 } 

- Events in subtree S?= T/ 9 u{E,, E 4 } 

u{Ii,i 2 }u{top} 
Boolean equations for S 2 - 

T = I, 

Ii — Ej • I 2 • E 4 

^2 = ^2 ^3 
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A Gas Burner System (4) 


• Transform subtree (for to its corresponding minimal cut set transition 
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A Gas Burner System (5) 

• Transform subtree S 2 (for M 2 ) to its corresponding minimal cut set transition 
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A Gas Burner System (6) 


Add feasible minimal cut set transitions to the original behavioral state machine. 
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Conclusion 


• Successfully developed a solution to integrate functional specifications in UML 
behavior state machines and hazard analysis in fault trees 

• Writing a comprehensive report due on 12/31/2007 
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